8000 ptrace(ltrace/strace) does not work on non-privileged mode even apparmor is disabled and SYS_PTRACE is enabled. · Issue #21051 · moby/moby · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

ptrace(ltrace/strace) does not work on non-privileged mode even apparmor is disabled and SYS_PTRACE is enabled. #21051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yoshiokatsuneo opened this issue Mar 9, 2016 · 17 comments
Closed

ptrace(ltrace/strace) does not work on non-privileged mode even apparmor is disabled and SYS_PTRACE is enabled. #21051

yoshiokatsuneo opened this issue Mar 9, 2016 · 17 comments
Labels
version/1.10
Milestone
1.12.0

Comments

@yoshiokatsuneo
Copy link

Adding both "--cap-add=SYS_PTRACE" and "--security-opt=apparmor:unconfined" does not allow container to run programs like strace/ltrace using the ptrace (PTRACE_TRACEME).

$ docker run -i -t --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined --rm ubuntu sh -c 'apt-get install -y strace; strace /bin/ls'
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  strace
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 113 kB of archives.
After this operation, 504 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main strace amd64 4.8-1ubuntu5 [113 kB]
Fetched 113 kB in 1s (81.3 kB/s) 
Selecting previously unselected package strace.
(Reading database ... 11542 files and directories currently installed.)
Preparing to unpack .../strace_4.8-1ubuntu5_amd64.deb ...
Unpacking strace (4.8-1ubuntu5) ...
Setting up strace (4.8-1ubuntu5) ...
strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Operation not permitted
strace: test_ptrace_setoptions_for_all: unexpected exit status 1

Only "--privileded" option allow the container to use ptrace.

Is there any way to allow ptrace without using "privileged" flag ?

Output of docker version:

~$ docker version
Client:
 Version:      1.10.1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   9e83765
 Built:        Thu Feb 11 19:14:21 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.10.1
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   9e83765
 Built:        Thu Feb 11 19:32:54 2016
 OS/Arch:      linux/amd64

Output of docker info:

~$ docker info
Containers: 10
 Running: 8
 Paused: 0
 Stopped: 2
Images: 6
Server Version: 1.10.1
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 393
 Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 4.2.0-18-generic
Operating System: Ubuntu 15.10
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.858 GiB
Name: docker-node4
ID: U35M:LIYV:T5Q3:PMU5:UV4N:3QAS:I4ZA:YXQW:U23B:2RBK:E2GQ:L7BP
WARNING: No swap limit support
Labels:
 provider=amazonec2
~$

Provide additional environment details (AWS, VirtualBox, physical, etc.):
Ubuntu14.04

List the steps to reproduce the issue:

  1. Run: $ docker run -i -t --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined --rm ubuntu sh -c 'apt-get install -y strace; strace /bin/ls'

Describe the results you received:
strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Operation not permitted

Describe the results you expected:
strike result

Provide additional info you think is important:
@thaJeztah
Copy link
Member

Looks like you got this issue answered in #7276 (comment). Is it ok to close this?

@sanmai-NL
Copy link

@thaJeztah: ping

@thaJeztah
Copy link
Member

@sanmai-NL were you trying to ping @yoshiokatsuneo, or have a question? I think this question is answered in the linked issue, so probably should be closed, but let me know if there's something left to do 👍

@sanmai-NL
Copy link

@thaJeztah: I saw this issue still open.

@thaJeztah
Copy link
Member

@sanmai-NL alright! Let me close this issue as I think it's answered (see my earlier link)

@justincormack
Copy link
Contributor

This was fixed in 1.12. You need to disable seccomp in earlier versions.

On 23 Oct 2016 12:52 p.m., "Sander Maijers" notifications@github.com
wrote:

@thaJeztah https://github.com/thaJeztah: I saw this issue still open.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#21051 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAdcPBGZwfSXBAKO7hLW29FppIs9lyNJks5q20pygaJpZM4HsdYa
.

@thaJeztah thaJeztah added this to the 1.12.0 milestone Oct 25, 2016
@avindra
Copy link
avindra commented Dec 15, 2016

The answer is here:

#7276 (comment)

You should add this as a flag to the container

--security-opt seccomp:unconfined

@thaJeztah
Copy link
Member

@avindra see @justincormack's comment above; with docker 1.12 and up it should not be needed to set that option.

@avindra
Copy link
avindra commented Dec 15, 2016
edited
Loading

@thaJeztah I'm running Docker for Mac 1.12.3 on macOS 10.12.2 and I needed to use that option. Maybe it's no longer needed for Linux?

@akutz akutz mentioned this issue Feb 13, 2017
Closed
@ktosiek ktosiek mentioned this issue May 1, 2017
Closed
@ghost ghost mentioned this issue May 4, 2017
Closed
@dlsniper
Copy link
Contributor

I can confirm this is still an issue on Windows as well:

could not launch process: fork/exec /webinar: operation not permitted

To reproduce it, please use:

docker build -t webinar:debug .
docker run --rm --name=webinar-debug -p 8000:8000 -p 40000:40000 webinar:debug

as for the Dockerfile / repo, you can use this https://github.com/dlsniper/webinar

Docker info:
Version 17.06.0-rc2-ce-win14 (12510)
Channel: edge
e406757

@thaJeztah
Copy link
Member

@dlsniper the issue discussed here is not that ptrace doesn't work on non-privileged container, but that ptrace doesn't work on a non-privileged container with --cap-add=SYS_PTRACE set, and apparmor disabled.

If you did not specify those, it's probably expected it doesn't work because additional capabilities are always needed (they're blocked by default)
8000

@dlsniper
Copy link
Contributor

wow, thank you for the quick reply.

I apologize, I've misunderstood this comment:

@avindra see @justincormack's comment above; with docker 1.12 and up it should not be needed to set that option.

Running with

--security-opt="apparmor=unconfined" --cap-add=SYS_PTRACE

does indeed solve the problem.

Thank you.

@eromoe eromoe mentioned this issue Jun 28, 2017
Open
@itcreator
Copy link

Is it possible to do it with docker-compose?

@ryanfb
Copy link
ryanfb commented Aug 25, 2017

@itcreator Adding the following to the relevant container in my docker-compose.yml seems to work:

    cap_add:
    - SYS_PTRACE
    security_opt:
    - apparmor:unconfined

@itcreator
Copy link

Thanks. I'll try it

@colceagus
Copy link

I tried with the options above and setting 0 in /proc/sys/kernel/yama, it didn't say it could not attach to process, but it said "target:[path-to-my-app]/[app-executable]": could not open as an executable file: Operation not permitted.

which ended in termination and process detachment in some time.
I'm running the app in a docker container under a different user and attaching to process from CLion.

what could I do ?

Thanks!

@thaJeztah thaJeztah mentioned this issue Oct 30, 2017
Closed
@shin- shin- mentioned this issue Mar 1, 2018
Closed
@kirs kirs mentioned this issue Apr 3, 2018
Closed
@irsl
Copy link
irsl commented Oct 19, 2018

--cap-add SYS_PTRACE seems to be enough on Docker 18+:

Without the capability:

# docker run --rm -it --user 1000:1000 -v /usr/bin/strace:/usr/bin/strace  debian:stretch
I have no name!@4ece261cc10b:/$ sleep 1000 &
[1] 6
I have no name!@4ece261cc10b:/$ strace -p 6
strace: attach: ptrace(PTRACE_ATTACH, 6): Operation not permitted

With the capability:

# docker run --rm -it --user 1000:1000 -v /usr/bin/strace:/usr/bin/strace --cap-add SYS_PTRACE debian:stretch
I have no name!@8a42130c59d6:/$ sleep 1000 &
[1] 6
I have no name!@8a42130c59d6:/$ strace -p 6
strace: Process 6 attached
restart_syscall(<... resuming interrupted nanosleep ...>^Cstrace: Process 6 detached
 <detached ...>
I have no name!@8a42130c59d6:/$ cat /proc/self/status|grep Cap
CapInh: 00000000a80c25fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80c25fb
CapAmb: 0000000000000000

As you see above, the process was running without the capability and it could still attach to the target process (which was running as the same unprivileged user). Due to adding the SYS_PTRACE capability on the command line, Docker configured seccomp without blocking the related syscalls (see the ptrace related section in the default seccomp profile: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json)

@limerainne limerainne mentioned this issue Mar 21, 2019
Closed
@Theldus Theldus mentioned this issue Jul 7, 2020
Closed
@huan huan mentioned this issue Jan 25, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
version/1.10
Projects
None yet
Milestone
1.12.0
Development

No branches or pull requests
0